move rest of pod checks over to schema

2026-05-07 01:36:41 +00:00 · 2019-12-20 17:33:52 +00:00
parent d80d326f7c
commit 3304285b4e
5 changed files with 38 additions and 31 deletions
--- a/checks/hostIPC.yaml
+++ b/checks/hostIPC.yaml
@@ -0,0 +1,15 @@
+name: HostIPCSet
+id: hostIPCSet
+successMessage: Host IPC is not configured
+failureMessage: Host IPC should not be configured
+category: Security
+controllers:
+  exclude: []
+target: Pod
+schema:
+  '$schema': http://json-schema.org/draft-07/schema
+  type: object
+  properties:
+    hostIPC:
+      not:
+        const: true
--- a/checks/host_network.yaml
+++ b/checks/host_network.yaml
@@ -12,5 +12,4 @@ schema:
  properties:
    hostNetwork:
      not:
-        enum:
-        - true
+        const: true
--- a/checks/hostPID.yaml
+++ b/checks/hostPID.yaml
@@ -0,0 +1,15 @@
+name: HostPIDSet
+id: hostPIDSet
+successMessage: Host PID is not configured
+failureMessage: Host PID should not be configured
+category: Security
+controllers:
+  exclude: []
+target: Pod
+schema:
+  '$schema': http://json-schema.org/draft-07/schema
+  type: object
+  properties:
+    hostPID:
+      not:
+        const: true
--- a/pkg/validator/pod.go
+++ b/pkg/validator/pod.go
@@ -16,7 +16,6 @@ package validator

 import (
 	"github.com/fairwindsops/polaris/pkg/config"
-	"github.com/fairwindsops/polaris/pkg/validator/messages"
 	corev1 "k8s.io/api/core/v1"
 )

@@ -33,7 +32,6 @@ func ValidatePod(conf config.Configuration, pod *corev1.PodSpec, controllerName
 		ResourceValidation: &ResourceValidation{},
 	}

-	pv.validateSecurity(&conf, controllerName)
 	applyPodSchemaChecks(&conf, pod, controllerName, &pv)

 	pRes := PodResult{
@@ -59,27 +57,3 @@ func (pv *PodValidation) validateContainers(containers []corev1.Container, pRes
 		pRes.ContainerResults = append(pRes.ContainerResults, cRes)
 	}
 }
-
-func (pv *PodValidation) validateSecurity(conf *config.Configuration, controllerName string) {
-	category := messages.CategorySecurity
-
-	name := "HostIPCSet"
-	if conf.IsActionable(conf.Security, name, controllerName) {
-		id := config.GetIDFromField(conf.Security, name)
-		if pv.Pod.HostIPC {
-			pv.addFailure(messages.HostIPCFailure, conf.Security.HostIPCSet, category, id)
-		} else {
-			pv.addSuccess(messages.HostIPCSuccess, category, id)
-		}
-	}
-
-	name = "HostPIDSet"
-	if conf.IsActionable(conf.Security, name, controllerName) {
-		id := config.GetIDFromField(conf.Security, name)
-		if pv.Pod.HostPID {
-			pv.addFailure(messages.HostPIDFailure, conf.Security.HostPIDSet, category, id)
-		} else {
-			pv.addSuccess(messages.HostPIDSuccess, category, id)
-		}
-	}
-}
--- a/pkg/validator/schema.go
+++ b/pkg/validator/schema.go
@@ -44,13 +44,17 @@ var (
 		TargetContainer: []SchemaCheck{},
 		TargetPod:       []SchemaCheck{},
 	}
+	checkOrder = []string{
+		"hostIPC",
+		"hostPID",
+		"hostNetwork",
+	}
 )

 func init() {
 	schemaBox = packr.New("Schemas", "../../checks")
-	files := schemaBox.List()
-	for _, file := range files {
-		contents, err := schemaBox.Find(file)
+	for _, file := range checkOrder {
+		contents, err := schemaBox.Find(file + ".yaml")
 		if err != nil {
 			panic(err)
 		}